[Declude.JunkMail] Phishing

Wed, 16 Feb 2005 11:34:13 -0800 

We're running JM+Sniffer and still having some problems with phishes.
Here's the headers of a message that passed through and didn't trip a
single test. Our user got 140 of these in a period of a few hours. He
always seems to be on the front end of these things.

I'm running spf so it didn't fail that. Notice the envelope from and
the from though. Any ideas on how to combat this? What about some type
of combo test or something that could look at the "from" the user sees
and compares against known good IPs for companies like ebay, paypal,
citibank, etc?

If anybody has a good way of catching these your input would be
greatly appreciated.

Received: from outbound3.example.net (outbound2.example.net
[16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft 
Exchange Internet Mail Service Version 5.5.2653.13)
          id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500
Received: from mail2.example.net (unknown [10.1.16.2])
          by outbound3.example.net (Postfix) with ESMTP id BB00767835
            for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:12 -0500 (EST)
Received: from mx1.example.net [192.168.200.60] by mail2.example.net with ESMTP
    (SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500
Received: from vps.parlori.net (vps.parlori.net [216.22.48.204])
            by mx1.example.net (Postfix) with ESMTP id BCFE143AC2
           for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:23 -0500 (EST)
            (envelope-from [EMAIL PROTECTED])
Received: from nobody by vps.parlori.net with local (Exim 4.44)
          id 1D1FAQ-0001Yt-6Z
          for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600
To: [EMAIL PROTECTED]
Subject: Security Validations
From: eBay <[EMAIL PROTECTED]>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <[EMAIL PROTECTED]>
 Date: Tue, 15 Feb 2005 20:43:54 -0600
X-Note: Spam Score: 0


example.net is us

-- 
Best regards,
 David                          mailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to